France: The new national cloud strategy - data transfers and localisation implications
The French Government ('the Government') announced1, on 17 May 2021, that Bruno Le Maire, Ministry of Economy, Finance, and Recovery, Amélie de Montchalin, Minister of Transformation and Public Service, and Cédric O, Secretary of State for Digital Transition and Electronic Communications, have presented, on the same day, the French national cloud strategy ('the Strategy'), built in line with others European initiative on the matter. OneTrust DataGuidance analyses this development and its significance.
In particular, the Government outlined that cloud technologies bring along three major challenges for France: the transformation of private organisations and public administrations, France's digital sovereignty, and economic competitiveness. In addition, the Government noted that the cloud presents risks for the integrity of French citizens' data, both from a technical stand point, with increasing cyber attack activities, and from a legal perspective, considering the presence of extraterritorial legislation providing access to the data of citizens and French administrations and organisations to foreign countries.
To meet these challenges, the Government highlighted that the Strategy has been developed upon three main policies.
1. A new trusted cloud label
The Strategy aims to create a new label for trusted cloud service providers in order to support the use of the best international cloud services whilst protecting the data of French citizens and ensuring a high level of security of such data. To this end, the Strategy highlights that raising the level of protection for personal data is a priority and that the label will be based on 'SecNumCloud' Security Visa, as offered by the National Cybersecurity Agency of France ('ANSSI').
In particular, the trusted cloud label will offer a double level of security - legal and technical. In relation to the potential use of non-European cloud services providers, the Strategy notes that these organisations may also be labelled as trusted cloud providers where certain conditions, relating in particular to the entity operating these services and the location of the stored data, are met. In this way, the label will allow the creation of organisations combining European shareholding and foreign technologies under licence.
In addition, and in order to ensure, by design, protection against the risks of access to data due to the application of extraterritorial regulations and to obtain the 'SecNumCloud' Security Visa, the cloud solutions must meet the following conditions:
- fulfil the security requirements associated with the 'SecNumClouc' technical reference2;
- locate the infrastructures and operate the systems in Europe; and
- ensure the operational and commercial support of the offer by a European entity, owned by European actors.
On the relationship between the localisation requirements envisioned by the Strategy and global personal data transfers, Sonia Cissé, Head of the Technology, Media and Telecommunications/Privacy team at Linklaters Business Services, told OneTrust DataGuidance, "Although it is not a direct consequence, it is clear that the Government's new policy on the development of a French cloud also aim to address the data transfer issues raised by the Schrems II judgment. The adoption of such a cloud would ensure that data is hosted on servers located in France and only operated by European organisations, without the possibility of transferring it to countries that do not offer an equivalent level of protection. This would limit global data transfers and offer an alternative to the extraterritorial investigation powers of certain foreign authorities."
Furthermore, and in relation to the data protection implications of the Strategy for private organisations dealing with government entities in their operations, Cissé added, "If government entities are subject to the use of the French cloud, it is clear that their service providers and co-contractors will be pressured to provide data protection guarantees that meet the pillars implemented under [the Strategy], including the one referred to by the Government as the 'maximum protection for data.' It will thus be difficult for organisations to justify data governance that involves transfers to countries outside the EU. In any case, transfers will have to be fully supported by serious compliance documentation such as Standard Contractual Clauses and transfer impact assessments, as well as being accompanied by related risk mitigation measures."
2. 'Cloud at the centre' policy
The Strategy further aims to place cloud services at the centre and to modernise public action through the use of cloud technologies. In particular, as the new policy outlined by the Strategy, which will be further explained in a circular, applies to Ministries and organisations under their supervision, the cloud will become the default hosting method for digital services of the State, new digital products, and for products undergoing a substantial evolution.
More specifically, the digital services of the administration will be hosted on one of the two internal inter-ministerial clouds of the State or on the cloud offers proposed by manufacturers that meet strict security criteria.
In particular, every digital product handling sensitive data, whether it be personal data of French citizens, business data relating to French companies, or business applications relating to the State's public servants, must be hosted on the State's internal cloud or on an industrial cloud labelled as 'SecNumCloud' by the ANSSI and protected against any extraterritorial legislation's application.
3. Industrial strategy
The third pillar of the Strategy consists in the implementation of a strong industrial policy though the direct support of high value-added projects that will allow the consolidation and the building of new cloud tools and services. More specifically, the industrial policy will target critical technologies such as Platform as a Service ('PaaS') solutions for the deployment of, among other things, artificial intelligence, and Big Data, as well as to allow Europe and France to progress in their technological sovereignty.
As the Government stressed that the current health crisis has highlighted the essential nature of digital tools for the resilience of society, Cissé, when addressing the impact of the digital transformation envisioned by the Strategy on organizations' business from a governance, competition, and data protection standpoint, concluded, "In a digital economy, data protection undoubtedly plays a major role, presenting its own set of constraints. [However], with the help of transparent and reliable governance processes, it can also become an important marketing and competitive tool. Thus, the digital transformation as envisaged by the Strategy will not fail to have a substantial impact on organisations, but could logically be part of the reflections and work of digitalisation already initiated in the context of the COVID-19 crisis."
Matteo Quartieri Privacy Operations
Comments provided by:
Sonia Cissé Head of the Technology, Media and Telecommunications/Privacy
Linklaters Business Services
1. Press releases and press kit available in French at:
2. Available at: https://www.ssi.gouv.fr/uploads/2014/12/secnumcloud_referentiel_v3.1_anssi.pdf